For companies looking to avoid an embarrassing DNC-style attack, a devastating Sony Pictures-level hack or career-ending Target-type breach, IBM is proposing a solution: Let us try to hack you.
IBM's X-Force Red team of ethical hackers-for-hire will perform stress tests of corporate networks to pinpoint vulnerabilities before criminal hackers — with less worthy intentions — discover those holes.
"The bad guys are testing your systems right now, the only difference is you don't get the report," said Charles Henderson, global head of X-Force Red.
The team is a new division of IBM Security, part of a broader strategy aimed at capturing more of the market for end-to-end security solutions.
The worldwide security software market grew 3.7 percent in 2015, and totaled $22.1 billion, according to a Gartner global security software report for 2015. Security information and event management was the fastest-growing segment, with 15.8 percent growth.
IBM was the only one of the top five security vendors to grow in 2015, which Gartner attributed to its strong performance in this segment. IBM's security software revenue grew 2.5 percent to $1.45 billion in 2015, said Gartner. The two biggest security software vendors — Symantec and Intel — saw their multibillion dollar businesses contract 6.2 and 4.1 percent, respectively.
X-Force Red will focus on testing four areas that are considered the most vulnerable: applications, networks, hardware and employees. The service is tailored to customers' needs, and findings are delivered via a report, an online application and in person.
The team then makes recommendations on how to remedy any issues. IBM will offer the service at various pricing levels — starting at under $10,000 for a specific project, scaling to multimillion dollar managed service agreements, Henderson said.
The number of security incidents reported in 2015 was 64 percent higher than in 2014, according to the X-Force IBM Cyber Security Intelligence Index, published in April.
"In thinking like an attacker, you start to realize that software flaws are not industry specific," Henderson said. "We have clients from major financials to video gaming."
IBM Security falls under IBM's Strategic Imperatives group, which reported $31 billion in revenue for the 12 months preceding the second quarter. The security division grew 18 percent year over year.
Despite numerous recent headline-grabbing breaches, most recently disrupting the U.S. presidential campaign, security remains an afterthought at many organizations, said Henderson. For example, 33 percent of companies do not test mobile apps for vulnerabilities, according to IBM's The State of Mobile Application Insecurity published in March 2015.
The rise of things like ransomware and continued success of email phishing scams puts company employees unwittingly at the center of many breaches. There is no point deploying sophisticated security software without also educating employees about security best practices, said Henderson.
"We can optionally spoof people at the company to see who falls for it," he said. "A criminal would try and steal something when they click, we might try and educate someone when they click."
The goal is to encourage employees to scrutinize messages more carefully, rather than simply accepting them at face value, said Henderson.